2

Statement

I would like to do a simple login validation where the condition is the username and password match to a table in MySQL server called admin

What I have tried so far

From the following code, there are undefined indexes in login_check.php

$uname = mysqli_real_escape_string($conn,$_POST['username'] );

and $pass = mysqli_real_escape_string($conn,$_POST['password'] );

login.php (front.php = main page)

<form method="post" action="login_check.php">
        <input type="text" name="username" placeholder="Username" required>
        <span class="error"><?php echo $uname_error; ?></span>
        <input type="password" name="password" placeholder="Password" required>
        <span class="error"><?php echo $pass_error; ?></span>
        <button type="submit" name="Log In" value="Log In">Log In</button> <!--Go to front.php if both username and password are correct.-->
</form>

login_check.php

<?php

    //Establish connection
    include 'connection.php';

    $uname_error = $pass_error ="";

    $uname = mysqli_real_escape_string($conn,$_POST['username'] );
    $pass = mysqli_real_escape_string($conn,$_POST['password'] );
    $sql = "SELECT admin_username,admin_password FROM admins";

    if(isset($_POST['Log In']))
    {
         //Check Username
         if($uname == "username")
         {
                   //Check Password
                   if($pass == "password")
                   {
                   header("location:front.php"); //If username & password are correct -> log in to front.php.
                   }
                   else //$pass != "password"
                   {
                       $pass_error = "Invalid Password.";
                   }
         }
         else //$uname != "username"
         {
              $uname_error = "Invalid Username.";
         }
    }
    mysqli_close($conn);
?>

EDIT 1 : login.php has been fixed.

O San
  • 85
  • 9
  • 1
    your form is posting to `front.php`, not `login_check.php` you include `login_check.php` before the form has been posted so those values wont be set. you need to reaccesses the structure here –  Apr 18 '19 at 04:27
  • 4
    ^ dont do that or what you have, never store plain text passwords –  Apr 18 '19 at 04:30
  • check this https://stackoverflow.com/a/55240307/5463213 – Shanteshwar Inde Apr 18 '19 at 04:55
  • password with php https://www.php.net/manual/de/function.password-hash.php – Ibu Apr 18 '19 at 04:57
  • It is just a simple one. So I would like to make able to work first before go for password hashing. – O San Apr 18 '19 at 05:06
  • Your SELECT statement needs a WHERE clause. Without a WHERE clause the SELECT will return all users from the database. And you don't seem to execute the query. – CharlesEF Apr 18 '19 at 05:19
  • your query is just in a variable, you never called mysqli_query. I have updated login procedure you can take a look. – Ziaur Rahman Apr 18 '19 at 05:37

4 Answers4

1

Your form's action is front.php and the validation code lies in log_check.php.

The validation code will not execute because, after submit, the form will redirect to front.php.

You can (redirect) set form's action login_check.php and the validations will apply.

Also, redirection will work smoothly.

So, concluding 2 changes:

1) Remove/comment <?php require 'login_check.php'; ?>

2) Change form action From

<form method="post" action="front.php">

To

<form method="post" action="login_check.php">

Pupil
  • 23,834
  • 6
  • 44
  • 66
  • I have already fixed `login.php` but I think that there are could be some syntax errors in the if-else conditions or MySQL statement in `login_check.php` – O San Apr 18 '19 at 05:05
1

First, you should store the password as Hash, not in plain text.

I also recommend to use PDO and prepared statments, but this is up to you.

// File: login_check.php

//Establish connection
// include 'connection.php'; 
// PDO Connection String
$pdo = new PDO('mysql:host=localhost;dbname=test', 'username', 'password');

$uname_error = $pass_error ="";    

if(isset($_POST['Log In']))
{
    // Prepares the SQL Statment
    $query = $pdo->prepare('SELECT admin_username, admin_password FROM admins WHERE admin_username = :username');
    // Fils the named parameter with the username and executes the query
    $stmt = $query->execute(['username' => $_POST['username']]);
    // Fetches the result
    $result = $stmt->fetch();

    // Check if the DB has a entry with this username and check if the password matches with the Password Hash
    if($result !== false && password_verify($_POST['password'], $result['admin_password']))
    {
        header("location:front.php"); //If username & password are correct -> log in to front.php.
    else
    {
        $pass_error = "Invalid Username or Password.";
    }
}

Create a Hashed password in PHP

<?php
// Create Password with php default Hashing Algo (bcrypt)
$password = password_hash('password', PASSWORD_DEFAULT);

?>
Dharman
  • 30,962
  • 25
  • 85
  • 135
Spirit
  • 631
  • 7
  • 11
0

In your HTML - 

<?php require 'login_check.php'; ?>
<form method="post" action="front.php">
        <input type="text" name="username" value="username" placeholder="Username" style="font-size: 24px" required>
        <span class="error"><?= $uname_error ?></span>
        <input type="password" name="password" value="password" placeholder="Password" style="font-size: 24px" required>
        <span class="error"><?= $pass_error ?></span>
        <button type="submit" name="Log In" value="Log In">Log In</button> <!--Go to front.php if both username and password are correct.-->
</form>

form action is front.php which should be login_check.php also there is no use of <?php require 'login_check.php'; ?> so you can remove that. you coded very basic login code I think at least you should encrypt the password also, improve your login query.

$error = '';
$result = mysqli_query($conn,"SELECT id, admin_password FROM admins WHERE admin_username = '$uname'");
list($id,$password) = mysqli_fetch_row($result);
if(mysqli_num_rows($result)==1){
    if($password == $pass){
        session_start();
        $_SESSION['userid'] = $id;
        $_SESSION['username'] = $uname;
        header("location:front.php");
    }else{
        $error = "Invalid Password.";
    }
}else{
    $error = "username does not exist";
}
Ziaur Rahman
  • 157
  • 10
-1

If you wanted to check username and password with database, you've never did it. your sql query has never been executed. Although storing plain text password is wrong; but in case of using that, your login_check.php must be something like this:

//Establish connection
include 'connection.php';

$uname_error = $pass_error ="";

$uname = mysqli_real_escape_string($conn,$_POST['username'] );
$pass = mysqli_real_escape_string($conn,$_POST['password'] );
$sql = "SELECT * FROM admins WHERE admin_username = '$uname' AND admin_password = '$pass'";

$result = $conn->query($sql);
if ($result->num_rows > 0) {
    header("location:front.php");
} else {
    die('the combination is wrong');
}
Morteza Pouretemadi
  • 638
  • 4
  • 12